This is an add-on powered by the Splunk Add-on Builder.
Sonrai Security Add-on For Splunk can be installed through UI as shown below. Alternatively, .tar
or .spl
file can also be extracted directly into $SPLUNK_HOME/etc/apps/ folder.
Install app from file
.Choose file
and select the TA-Sonrai
installation file.Upload
.This Add-On can be set up in two ways:
Search Head + Indexer + Heavy forwarder
for this setup.$SPLUNK_HOME add forward-server <indexer_ip_address>:9997
NOTE : For the distributed environment, only indexes of the Forwarder would be shown in the input configuration page.
Configure Sonrai Security Add-on For Splunk:
Account
section. Users can configure Sonrai Account
for collecting data from Sonrai Platform:Proxy
or Logging
in their respective sections.To configure the Account and Proxy,
Setup
-> Configuration
.Add
.Sonrai Account Parameters | Mandatory or Optional | Description |
---|---|---|
Account name | Mandatory | Name of the account |
Sonrai Organization ID | Mandatory | Endpoint Organization ID of users Sonrai account |
Sonrai Token | Mandatory | Token generated on Sonrai Portal. Provided token should be of 30 days lifetime. |
Sonrai Host | Optional | Sonrai Platform hostname to pull the events. |
To configure the Proxy,
Setup
-> Configuration
.Proxy
tab.Save
.Proxy Parameters | Mandatory or Optional | Description |
---|---|---|
Enable | Optional | To enable or disable the proxy |
Proxy Type | Mandatory | Select proxy type that you want to use from the dropdown (supports HTTP/SOCK4/SOCK5) |
Proxy Host | Mandatory | Host or IP of the proxy server |
Proxy Port | Mandatory | Port for proxy server |
Proxy Username | Optional | Username of the proxy server |
Proxy Password | Optional | Password of the proxy server |
To configure the Logging,
Setup
-> Configuration
.Logging
tab.Save
.To configure the Inputs,
Setup
-> Inputs
.Create New Input
, window will open for configuring Sonrai Tickets Input
.Add
to configure the input. Field descriptions are as below:Sonrai Tickets Input
Input Parameter | Mandatory or Optional | Desciption |
---|---|---|
Name | Mandatory | A name to uniquely identify the input |
Interval | Mandatory | Interval should be in range 1200 to 7200 |
Index | Mandatory | Index in which the data needs to be ingested |
Sonrai Account | Mandatory | Select Sonrai account for the given Input |
Severity Category | Optional | Select Category for which data needs to be ingested |
Environment | Optional | Select environment value for which data needs to be ingested |
Cloud Type | Optional | Select cloud type value for which data needs to be ingested |
Swimlane | Optional | Select swimlane value for which data needs to be ingested |
Start DateTime | Optional | Select UTC Start DateTime from which data needs to be fetched from sonrai portal |
NOTE : If multiple inputs are created with overlapping configurations, there will be duplicate Events in Splunk.
Search
tab. Search index=* sourcetype="sonrai:sec:tickets"
.User can explore the ticket on Sonrai platform by using the workflow action provided, user can click on "Redirect to Sonrai Ticket" present under Event Actions.
index="_internal" source=*ta_sonrai*.log
query to see all the logs in UI. Also, user can use index="_internal" source=*ta_sonrai*.log ERROR
query to see ERROR logs in the Splunk UI.$SPLUNK_HOME/var/log/splunk/
directory.ta_sonrai_sonrai_tickets_input.log
file for Sonrai Tickets for any relevant error messages.Unable to renew Sonrai token
then update the sonrai account credentials on the account configuration page.NOTE : Provided token should be of 30 days lifetime.
https://eula.sonraisecurity.com/Sonrai%20Security%20Click-Through%20EUL%20Agreement.pdf
Copyright (C) Sonraí Security 2022.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.